Tech Companies Shine Some Light on National Security Requests

Why It Matters

Revelations about surveillance by the U.S. government cast doubt on the privacy of user data held by technology companies.

Newly released reports from Web and telecom service providers such as Facebook reveal for the first time that tens of thousands of Americans have had the contents of their accounts sent to government investigators in the name of national security.

Not all companies release such information the same way, but by compiling several of their “transparency reports,” it is clear that a substantial portion of government requests for customer data are being made under the Foreign Intelligence Surveillance Act (FISA). The act allows for extensive electronic evidence to be gathered about people suspected of being involved in terrorism or espionage, and requests are made through a special court whose findings are generally secret.

It has always been legal for companies to report the number of conventional law enforcement requests. Since last summer, in the wake of Edward Snowden’s revelations about the National Security Agency’s surveillance efforts, the FBI and the Department of Justice have allowed companies to also report FISA requests made by the government.

Now Verizon, Google, Facebook, Yahoo, Tumblr, Microsoft, and AT&T have all disclosed FISA request numbers for the first six months of 2013. They chose the option to report FISA requests for “content” (posts, e-mails, texts, photos, etc.) and “non-content” (subscriber information and call records), together with the number of individual customers specified in each of those requests, in bands of 1,000. They also report National Security Letters (NSLs), which are requests from the FBI for limited customer data.

Facebook, Yahoo, and Tumblr reported total U.S. government requests, a figure that includes national security-related requests.

Microsoft and Google both report conventional law enforcement requests and national security-related requests separately.

Apple, LinkedIn, Dropbox, and Cloudflare, a content delivery network, chose the option to add up all national security requests, including FISA requests and National Security Letters, and report them as one number, in bands of 250.

Absent from the group of companies that chose to report national security requests is Twitter, which reported 833 conventional U.S. law enforcement requests that specified 1,323 individual accounts.

Several companies have expressed a desire to disclose national security requests with more precision, and in greater detail, in future reports. In Twitter’s latest report, Jeremy Kessel, manager of global legal policy, criticized the requirement to report in large ranges, which he said “do not provide meaningful or sufficient transparency for the public, especially for entities that do not receive a significant number of—or any—national security requests.”